Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Insufficient Resource Allocation Limits in nopCommerce v4.10 and v4.80.3 Excel Import Functionality

From: Ron E <ronaldjedgerson () gmail com>
Date: Sun, 17 Aug 2025 23:01:41 -0400
nopCommerce is vulnerable to Insufficient Resource Allocation Limits when
handling large Excel file imports. Although the application provides a
warning message recommending that users avoid importing more than 500–1,000
records at once due to memory constraints, the system does not enforce hard
limits on file size, record count, or concurrent imports.

An attacker can exploit this by uploading excessively large Excel files or
automating multiple simultaneous uploads (e.g., using Burp Suite or another
proxy tool). This results in resource exhaustion on the application server,
leading to significant performance degradation and potential denial of
service (DoS) conditions.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: